How Secure is Encrypting Just the system partition Vs Whole Disk in the given scenario.

Hard Disk has 1partition for recovery (dell) 1 partition for Windows 7. if I were to only encrypt the System Partition how secure would that be?

My only thought is worse case scenario someone boots into recovery and wipes the whole drive, (which they could do anyway with a linux Distro and no bios pass). Is there anything i'm missing? Would true crypt store any file on the recovery partition that a forensics expert could use to hack the drive?

Last edited by Thegmandrive on Wed Sep 26, 2012 5:58 pm, edited 1 time in total.

If the recovery drive is used for recovery, so all your data, settings, passwords, etc., are stored there unencrypted, it would not be an ideal setup if you only encrypt the system partition as it would be the same as shooting yourself in the foot.The attacker would simply read the unencrypted partition. Anyway, no encryption vs. some or FDE (Full Disk Encryption) is definitely better and will protect you against some people.If the other partition was not a recovery partition, it wouldn't matter if it was encrypted or not. The most effective way, is the way where you can't recover your data without a strong password, even if you use a linux distribution to read the disks while they are encrypted and the bios password(s) may have been reset.It's pretty much a question of, how paranoid you are (Because you can also have partitions, within partitions when you use TrueCrypt, and boot up from each one, depending on which boot password you type in.)

I would be concerned that if you encrypted the Dell recovery partition that it would no longer work... most of the recovery partitions are just press F12 at boot and select Recover or drop the CD in the drive and off it goes.

MaXe wrote:If the recovery drive is used for recovery, so all your data, settings, passwords, etc., are stored there unencrypted, it would not be an ideal setup if you only encrypt the system partition as it would be the same as shooting yourself in the foot.

I apologize I was not as clear as I should have been. The recovery drive is an Operating system recovery partition back to factory settings, it is not a backup disk. It does not contain any User Data that is on the windows partiton.

My thought is if someone were to "recover" it would reformat the drive back to factory setting. Which would loose all the data and make recovery impossible due to the deletion of the header key(unless of course you had a backup of the header key).

My concern is, would true crypt store any information on this partition?

SecurityMonkey wrote:I would be concerned that if you encrypted the Dell recovery partition that it would no longer work... most of the recovery partitions are just press F12 at boot and select Recover or drop the CD in the drive and off it goes.

That was why I actually only encrypted the system partiton and not the recovery partition. The other concern was depending on if the bios supports it or not, if the recovery partition was encrypted, it would fail to boot.

As far as I know (and I could be wrong!) the recovery partition is protected and the user can't (most of the time) write files to it. When you use it to recover it will just blow your system partition away and it will be like a new one.

So if that is the case then there is no value in encrypting that partition as it holds no user info, just OS, drivers and the bloatware that Dell provide.

Ah well in that case, you shouldn't encrypt the recovery partition, because as many others said, it would most likely not work, and if it doesn't contain any user data, no need to protect it further with encryption.

There is of course the scenario of an attacker using it, to recover the OS and thereby wiping the system partition.

TrueCrypt should however, not store any information on this partition at all, as I have been using partition-based encryption for years. The only thing that was proved insecure, at least for some time, were TrueCrypt containers (encrypted files that could be mapped as drives).

I usually delete the recovery partition though, and lock the bios too as much as possible, even though most bios passwords can be reset on the motherboard.

You should however note, that if you use partition based encryption, TrueCrypt will also overwrite the bootloader for e.g. Windows or Linux, depending on what you use. (And if you at a later point in time, overwrite TrueCrypt bootloader, which decrypts the Windows bootloader, it won't be fun ;D )

Why not take an image of the recovery partition and then encrypt the whole drive? In the grand scheme of things, I don't think it will matter much whether you encrypt the whole drive or just the system drive. Most recovery partitions are marked hidden, and if someone has hooks into your machine such that they can manipulate your hidden partition, you are sunk anyway.